How Do I configure Okteto with cert-manager and AWS Route53?

How do I configure the Okteto wildcard certificate with cert-manager and Route53?

1 Like

The recommended solution is to use IAM Roles for service accounts.

In order to do that, configure a role with the following policy permissions:

  {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "route53:GetChange",
            "Resource": "arn:aws:route53:::change/*"
        },
        {
            "Effect": "Allow",
            "Action": "route53:ChangeResourceRecordSets",
            "Resource": "arn:aws:route53:::hostedzone/*"
        }
    ]
}

Create an AWS IAM Role for the cert-manager service account. Replace the variables below with your own information.

eksctl create iamserviceaccount \
  --cluster $CLUSTER_NAME \
  --region $REGION \
  --name cert-manager \
  --namespace $RELEASE_NAMESPACE \
  --attach-policy-arn $POLICY_ARN \
  --role-name ${YOUR_ROLE_NAME} \
  --role-only \
  --approve

and add these options to your cert-manager Helm configuration file:

  extraArgs: [--issuer-ambient-credentials=true]
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: 'arn:aws:iam::<<aws-account-id>>:role/<<your-role-name>>'

Once your cert-manager is configured this way, create the following Issuer in the okteto namespace:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: okteto-letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email:  "<<your-email>>"
    privateKeySecretRef:
      name: okteto-letsencrypt-acme
    solvers:
    - http01:
        ingress:
          serviceType: ClusterIP
          class: nginx
    - dns01:
        route53:            
          region: "<<your-cluster-region>>"

and the following Certificate:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
 name: okteto-letsencrypt
spec:
 secretName: okteto-letsencrypt
 duration: 8760h0m0s
 renewBefore: 600h0m0s # 25d
 issuerRef:
   name: okteto-letsencrypt
   kind: Issuer
 dnsNames:
   - "*.<<your-okteto-subdomain>>"

Now, add the following to your Okteto Helm configuration file to tell Okteto and NGINX to use your certificate:

wildcardCertificate:
  create: false
  name: okteto-letsencrypt

ingress-nginx:
  controller:
    extraArgs:
      default-ssl-certificate: $(POD_NAMESPACE)/okteto-letsencrypt

Finally, upgrade your Okteto installation for the new configuration to be applied.

For troubleshooting, you can check the cert manager logs, and the events associated to the resources Challenge, Order and CertificateRequest.

1 Like

There is a typo in the document

  {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "route53:GetChange",
            "Resource": "arn:aws:route53:::change/*"
        },
        {
            "Effect": "Allow",
            "Action": "route53:ChangeResourceRecordSets",
            "Resource": "arn:aws:route53:::hostedzone/*"
        },
    ]
}

Should be:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "route53:GetChange",
            "Resource": "arn:aws:route53:::change/*"
        },
        {
            "Effect": "Allow",
            "Action": "route53:ChangeResourceRecordSets",
            "Resource": "arn:aws:route53:::hostedzone/*"
        }
    ]
}

Thanks @davidtacheny , updated!

I’ve done this a few times and I keep struggling on the commands to do this, so here’s it for people unfamiliar with Kubernetes.

  1. Make sure you’re in the right context
  2. helm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ --version v1.13.1 \ --set installCRDs=true --set "extraArgs[0]=--issuer-ambient-credentials=true" \ --set "serviceAccount.annotations.eks\.amazonaws\.com/role-arn=arn:aws:iam::XXXXXXXXX:role/eksctl-okteto-cluster-ServiceRole-XXXXXXX"
  3. kubectl apply -f issuer.yaml -n okteto
  4. kubectl apply -f certificate.yaml -n okteto
1 Like